Magic Bytes: Helps file go undetectable!

July 27, 2021


To identify the file format or signatures, one typically only needs to look for the first few bytes of the file in question. This is what’s often called magic bytes, which help in identifying the type of file. It can be helpful to look for file format signatures and infer how the application is using them based on these signatures, as well as how these formats may be abused to provoke undefined behaviour within the application.


Where it can be used?

Wrapping of Malware

  • A malware wrapper is an otherwise non-malicious file that can have a malware file bound to them.
  • It is possible for malicious software to disguise its magic number, potentially masquerading as another file type. Typically, detecting a certain magic number will indicate the file type but the specific file type may not always have the correct magic number. 
  • The vulnerability advisory basically states that the majority of virus scanners are unable to detect some malware if a fake file header is prepended to the malicious file.
  • This more or less boils down to script-like malware, such as .bat and .html, going undetected if an MZ header, for an instance is prepended to the file. Most virus scanners seem to assume that such a file is an executable, and will therefore no longer detect the malware.


File Upload Vulnerabilities

  • File upload functionality is commonly associated with a number of vulnerabilities.
  • Exploiting this vulnerability can be done by:
    • Checking whether it is possible to place executable HTML/JavaScript into the file, which executes when the file's contents are viewed.
    • Checking whether the application performs any filtering on the file extension or MIME type of the uploaded file and embedding the file with a script by bypassing the possible checks.
    • Checking whether it is possible to construct a hybrid file containing both executable and non-executable content, to bypass any content filters - for example, a file containing both a GIF image and a Java archive (known as a GIFAR file) by adding proper headers and segregating the two to execute differently.

Steganography

  • Steganography is a technique for allowing two or more people to silently communicate with each other by hiding any secret message on a media cover. There are various types of steganography methods and techniques used for embedded data called cover or host data: Audio Steganography, Text Steganography, Image Steganography, and video Steganography.
  • File Signatures can be used to fool the man in the middle and deliver the message to the other end. This can be done by disguising a text file (.txt) or video file (.mp4) by embedding it into a new file like a .png or .jpeg file.
  • Check Hide Files behind Audio or Image File (S-Tools)
  • Also, Check to Hide files behind an Image File (Without Using Software)

You might also be interested in,
  • Magic Bytes and Important File Formats - Click Here!
  • List of Common Magic Bytes or File Signatures - Click Here!

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

, , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)